Difference between revisions of "LDAP authentication"

From ArchWiki
Jump to navigation Jump to search
(Client Setup: nslcd.conf needs to be edited if ldap is on a different server and your domain isn't "example.com")
m (Fixed two typos)
 
(83 intermediate revisions by 39 users not shown)
Line 1: Line 1:
[[Category:Networking]] [[Category:Security]]
+
[[Category:Networking]]
 +
[[Category:Authentication]]
 +
[[ja:LDAP 認証]]
 +
{{Related articles start}}
 +
{{Related|OpenLDAP}}
 +
{{Related|LDAP Hosts}}
 +
{{Related articles end}}
 +
 
 
== Introduction and Concepts ==
 
== Introduction and Concepts ==
  
 
This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).
 
This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).
  
The guide will be divided in two parts. The first part deals with how to setup an [[OpenLDAP]] server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticated against an already existing LDAP server then you can skip to the second part.
+
The guide is divided into two parts. The first part deals with how to setup an [[OpenLDAP]] server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the [[#Client_Setup|second part]].
  
 
=== NSS and PAM ===
 
=== NSS and PAM ===
 
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database.
 
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database.
  
PAM (which stands for Pluggable Authentication Module) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.
+
[[PAM]] (which stands for Pluggable Authentication Modules) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.
  
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}}, {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.
+
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}}, {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate its users.
  
 
== LDAP Server Setup ==
 
== LDAP Server Setup ==
Line 18: Line 25:
  
 
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.
 
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.
 +
 +
=== Set up access controls ===
 +
 +
To make sure that no-one can read the (encrypted) passwords from the LDAP server, but still allowing users to edit some of their own select attributes (such as own password and photo), add the following to {{ic|/etc/openldap/slapd.conf}} and restart {{ic|slapd.service}} afterwards:
 +
{{note|Alter the domain components "example" and "org" to your needs}}
 +
 +
{{hc|slapd.conf|2=
 +
access to attrs=userPassword,givenName,sn,photo
 +
        by self write
 +
        by anonymous auth
 +
        by dn.base="cn=Manager,dc=example,dc=org" write
 +
        by * none
 +
 +
access to *
 +
        by self read     
 +
        by dn.base="cn=Manager,dc=example,dc=org" write
 +
        by * read
 +
 +
}}
  
 
=== Populate LDAP Tree with Base Data ===
 
=== Populate LDAP Tree with Base Data ===
  
Create a file called {{ic|base.ldif}} with the following text:
+
Create a temporary file called {{ic|base.ldif}} with the following text.
  
 
{{hc|base.ldif|<nowiki>
 
{{hc|base.ldif|<nowiki>
 
# example.org
 
# example.org
 
dn: dc=example,dc=org
 
dn: dc=example,dc=org
 +
dc: example
 +
o: Example Organization
 
objectClass: dcObject
 
objectClass: dcObject
 
objectClass: organization
 
objectClass: organization
o: Example Organization
 
dc: example
 
  
 
# Manager, example.org
 
# Manager, example.org
Line 35: Line 61:
 
cn: Manager
 
cn: Manager
 
description: LDAP administrator
 
description: LDAP administrator
roleOccupant: dc=example,dc=org
 
 
objectClass: organizationalRole
 
objectClass: organizationalRole
 
objectClass: top
 
objectClass: top
 +
roleOccupant: dc=example,dc=org
  
 
# People, example.org
 
# People, example.org
Line 45: Line 71:
 
objectClass: organizationalUnit
 
objectClass: organizationalUnit
  
# Group, example.org
+
# Groups, example.org
 
dn: ou=Group,dc=example,dc=org
 
dn: ou=Group,dc=example,dc=org
 
ou: Group
 
ou: Group
Line 52: Line 78:
 
</nowiki>}}
 
</nowiki>}}
  
Add it to your OpenLDAP Tree:
+
Add it to your OpenLDAP tree:
  
 
  $ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
 
  $ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
Line 62: Line 88:
 
=== Adding users ===
 
=== Adding users ===
 
To manually add a user, create an {{ic|.ldif}} file like this:
 
To manually add a user, create an {{ic|.ldif}} file like this:
{{hc|example.ldif|<nowiki>
+
{{hc|user_joe.ldif|<nowiki>
 
dn: uid=johndoe,ou=People,dc=example,dc=org
 
dn: uid=johndoe,ou=People,dc=example,dc=org
 
objectClass: top
 
objectClass: top
Line 72: Line 98:
 
uid: johndoe
 
uid: johndoe
 
cn: John Doe
 
cn: John Doe
sn: John
+
sn: Doe
givenName: Doe
+
givenName: John
 
title: Guinea Pig
 
title: Guinea Pig
 
telephoneNumber: +0 000 000 0000
 
telephoneNumber: +0 000 000 0000
Line 87: Line 113:
 
</nowiki>}}
 
</nowiki>}}
  
the {{ic|xxxxxxxxxx}} in the {{ic|userPassword}} entry should be replaced with the value in {{ic|/etc/shadow}}.
+
The {{ic|xxxxxxxxxx}} in the {{ic|userPassword}} entry should be replaced with the value in {{ic|/etc/shadow}} or use the {{ic|slappasswd}} command. Now add the user:
  
You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's [http://www.padl.com/OSS/MigrationTools.html Migration Tools].
+
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f user_joe.ldif
 +
 
 +
{{Note|You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's [http://www.padl.com/OSS/MigrationTools.html Migration Tools].}}
  
 
== Client Setup ==
 
== Client Setup ==
Line 95: Line 123:
 
Install the OpenLDAP client as described in [[OpenLDAP]]. Make sure you can query the server with {{ic|ldapsearch}}.
 
Install the OpenLDAP client as described in [[OpenLDAP]]. Make sure you can query the server with {{ic|ldapsearch}}.
  
Next, [[pacman|install]] {{AUR|nss-pam-ldapd}} from the [[official repositories]].
+
Next, [[install]] the {{pkg|nss-pam-ldapd}} package.
  
 
=== NSS Configuration ===
 
=== NSS Configuration ===
Line 108: Line 136:
 
Edit {{ic|/etc/nslcd.conf}} and change the {{ic|base}} and {{ic|uri}} lines to fit your ldap server setup.
 
Edit {{ic|/etc/nslcd.conf}} and change the {{ic|base}} and {{ic|uri}} lines to fit your ldap server setup.
  
Restart {{ic|nslcd.service}}.
+
Start {{ic|nslcd.service}} using systemd.
  
 
You now should see your LDAP users when running {{ic|getent passwd}} on the client.
 
You now should see your LDAP users when running {{ic|getent passwd}} on the client.
  
==== Name Service Cache Daemon ====
+
=== PAM Configuration ===
You can optionally run NSCD. This is a daemon that NSS uses to cache lookups and queries for network backends. This way you can login when the LDAP server is down, it will also reduce load on the LDAP server.
+
The basic rule of thumb for PAM configuration is to include {{ic|pam_ldap.so}} wherever {{ic|pam_unix.so}} is included. Arch moving to {{pkg|pambase}} has helped decrease the amount of edits required. For more details about configuring pam, the [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/PAM_Configuration_Files.html RedHat Documentation] is quite good. You might also want the upstream documentation for [http://arthurdejong.org/nss-pam-ldapd nss-pam-ldapd].
 +
 
 +
{{Tip|If you want to prevent UID clashes with local users on your system, you might want to include {{ic|minimum_uid&#61;10000}} or similar on the end of the {{ic|pam_ldap.so}} lines. You will have to make sure the LDAP server returns uidNumber fields that match the restriction.}}
 +
 
 +
{{Note|Each facility (auth, session, password, account) forms a separate chain and the order matters. Sufficient lines will sometimes "short circuit" and skip the rest of the section, so the rule of thumb for ''auth'', ''password'', and ''account'' is ''sufficient'' lines before ''required'', but after required lines for the ''session'' section; ''optional'' can almost always go at the end. When adding your {{ic|pam_ldap.so}} lines, do not change the relative order of the other lines without good reason! Simply insert LDAP within the chain.}}
 +
 
 +
First edit {{ic|/etc/pam.d/system-auth}}. This file is included in most of the other files in {{ic|pam.d}}, so changes here propagate nicely. Updates to {{pkg|pambase}} may change this file.
 +
 
 +
Make {{ic|pam_ldap.so}} sufficient at the top of each section, except in the ''session'' section, where we make it optional.
 +
{{hc|/etc/pam.d/system-auth|
 +
'''auth      sufficient pam_ldap.so'''
 +
auth      required  pam_unix.so    try_first_pass nullok
 +
auth      optional  pam_permit.so
 +
auth      required  pam_env.so
 +
 
 +
'''account  sufficient pam_ldap.so'''
 +
account  required  pam_unix.so
 +
account  optional  pam_permit.so
 +
account  required  pam_time.so
 +
 
 +
'''password  sufficient pam_ldap.so'''
 +
password  required  pam_unix.so    try_first_pass nullok sha512 shadow
 +
password  optional  pam_permit.so
 +
 
 +
session  required  pam_limits.so
 +
session  required  pam_unix.so
 +
'''session  optional  pam_ldap.so'''
 +
session  optional  pam_permit.so
 +
}}
 +
 
 +
Then edit both {{ic|/etc/pam.d/su}} and {{ic|/etc/pam.d/su-l}} identically. The {{ic|su-l}} file is used when the user runs {{ic|su --login}}.
 +
 
 +
Make {{ic|pam_ldap.so}} sufficient at the top of each section but below {{ic|pam_rootok}}, and add {{ic|use_first_pass}} to {{ic|pam_unix}} in the ''auth'' section.
 +
{{hc|/etc/pam.d/su|
 +
#%PAM-1.0
 +
auth      sufficient    pam_rootok.so
 +
'''auth      sufficient    pam_ldap.so'''
 +
# Uncomment the following line to implicitly trust users in the "wheel" group.
 +
#auth    sufficient    pam_wheel.so trust use_uid
 +
# Uncomment the following line to require a user to be in the "wheel" group.
 +
#auth    required      pam_wheel.so use_uid
 +
auth      required pam_unix.so '''use_first_pass'''
 +
'''account  sufficient    pam_ldap.so'''
 +
account  required pam_unix.so
 +
'''session  sufficient    pam_ldap.so'''
 +
session  required pam_unix.so
 +
}}
 +
 
 +
To enable users to edit their password, edit {{ic|/etc/pam.d/passwd}}:
 +
 
 +
{{hc|/etc/pam.d/passwd|2=
 +
#%PAM-1.0
 +
'''password        sufficient      pam_ldap.so'''
 +
#password      required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 +
#password      required        pam_unix.so sha512 shadow use_authtok
 +
password        required        pam_unix.so sha512 shadow nullok
 +
}}
 +
 
 +
==== Create home folders at login ====
 +
 
 +
If you want home folders to be created at login (eg: if you are not using NFS to store home folders), edit {{ic|/etc/pam.d/system-login}} and add {{ic|pam_mkhomedir.so}} to the ''session'' section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, kdm, gdm, etc. You might choose to edit additional files in the same way, such as {{ic|/etc/pam.d/su}} and {{ic|/etc/pam.d/su-l}} to enable it for {{ic|su}} and {{ic|su --login}}. If you do not want to do this for ssh logins, edit {{ic|system-local-login}} instead of {{ic|system-login}}, etc.
 +
 
 +
{{hc|/etc/pam.d/system-login|
 +
...top of file not shown...
 +
session    optional  pam_loginuid.so
 +
session    include    system-auth
 +
session    optional  pam_motd.so          motd&#61;/etc/motd
 +
session    optional  pam_mail.so          dir&#61;/var/spool/mail standard quiet
 +
-session  optional  pam_systemd.so
 +
session    required  pam_env.so
 +
'''session    required  pam_mkhomedir.so skel&#61;/etc/skel umask&#61;0022'''
 +
}}
 +
 
 +
{{hc|/etc/pam.d/su-l|
 +
...top of file not shown...
 +
'''session        required        pam_mkhomedir.so skel&#61;/etc/skel umask&#61;0022'''
 +
session        sufficient      pam_ldap.so
 +
session        required        pam_unix.so
 +
}}
 +
 
 +
==== Enable sudo ====
 +
 
 +
To enable sudo from an LDAP user, edit {{ic|/etc/pam.d/sudo}}. You will also need to modify sudoers accordingly.
 +
{{hc|/etc/pam.d/sudo|
 +
#%PAM-1.0
 +
'''auth      sufficient    pam_ldap.so'''
 +
auth      required      pam_unix.so  '''try_first_pass'''
 +
auth      required      pam_nologin.so
 +
}}
 +
 
 +
You will also need to add in {{ic|/etc/openldap/ldap.conf}} the following.
 +
{{hc|/etc/openldap/ldap.conf|2=
 +
sudoers_base ou=sudoers,dc=AFOLA
 +
}}
 +
 
 +
== Online and Offline Authentication with SSSD ==
 +
 
 +
SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will D-BUS based interfaces for extended user information. It provides also a better database to store local users as well as extended user data.
 +
 
 +
=== General Package Details ===
 +
 
 +
[[Install]] the {{pkg|sssd}} package.
  
Start {{ic|nscd.service}} using systemd.
+
=== How to enable SSSD for basic Authentication ===
  
{{Note|It is recommended to stop the NSCD when troubleshooting because it may mask problems by serving cached queries.}}
+
==== 1. SSSD Configuration ====
  
=== PAM Configuration ===
+
If it does not exist create {{ic|/etc/sssd/sssd.conf}}.
{{Out of date|{{pkg|pambase}} obsoletes most of the pam section}}
+
{{hc|/etc/sssd/sssd.conf|2=
Edit {{ic|/etc/pam.d/login}}:
+
[sssd]
 +
config_file_version = 2
 +
services = nss, pam
 +
domains = LDAP
 +
 
 +
[domain/LDAP]
 +
cache_credentials = true
 +
enumerate = true
 +
 
 +
id_provider = ldap
 +
auth_provider = ldap
 +
 
 +
ldap_uri = ldap://server1.example.org, ldap://server2.example.org
 +
ldap_search_base = dc=example,dc=org
 +
ldap_id_use_start_tls = true
 +
ldap_tls_reqcert = demand
 +
ldap_tls_cacert = /etc/openldap/certs/cacerts.pem
 +
chpass_provider = ldap
 +
ldap_chpass_uri = ldap://server1.example.org
 +
entry_cache_timeout = 600
 +
ldap_network_timeout = 2
 +
ldap_group_member = uniquemember
 +
}}
 +
 
 +
The above is an example only.  See {{man|5|sssd.conf}} for the full details.
 +
 
 +
Finally set the file permissions {{ic|chmod 600 /etc/sssd/sssd.conf}} otherwise sssd will fail to start.
 +
 
 +
==== 2. NSCD Configuration ====
 +
 
 +
Disable caching for passwd, group and netgroup entries in {{ic|/etc/nscd.conf}} as it will interfere with sssd caching.
 +
 
 +
Keep caching enabled for hosts entries otherwise some services may fail to start.
 +
{{hc|/etc/nscd.conf|
 +
# Begin /etc/nscd.conf
 +
''[...]''
 +
enable-cache passwd '''no'''
 +
''[...]''
 +
enable-cache group '''no'''
 +
''[...]''
 +
enable-cache hosts yes
 +
''[...]''
 +
enable-cache netgroup '''no'''
 +
''[...]''
 +
# End /etc/nscd.conf
 +
}}
 +
 
 +
==== 3. NSS Configuration ====
 +
 
 +
Edit {{ic|/etc/nsswitch.conf}} as follows.
 +
{{hc|/etc/nsswitch.conf|
 +
# Begin /etc/nsswitch.conf
 +
 
 +
passwd: files '''sss'''
 +
group: files '''sss'''
 +
shadow: files '''sss'''
 +
'''sudoers: files sss'''
 +
 
 +
publickey: files
 +
 
 +
hosts: files dns myhostname
 +
networks: files
 +
 
 +
protocols: files
 +
services: files
 +
ethers: files
 +
rpc: files
 +
 
 +
netgroup: files
 +
 
 +
# End /etc/nsswitch.conf
 +
}}
 +
 
 +
==== 4. PAM Configuration ====
 +
 
 +
The first step is to edit {{ic|/etc/pam.d/system-auth}} as follows.
 +
{{hc|/etc/pam.d/system-auth|2=
 +
#%PAM-1.0
 +
 
 +
'''auth sufficient pam_sss.so forward_pass'''
 +
auth required pam_unix.so try_first_pass nullok
 +
auth optional pam_permit.so
 +
auth required pam_env.so
  
auth            requisite      pam_securetty.so
+
'''account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so'''
auth            requisite      pam_nologin.so
+
account required pam_unix.so
auth            sufficient      pam_ldap.so             
+
account optional pam_permit.so
auth            required        pam_env.so
+
account required pam_time.so
auth            required        pam_unix.so nullok try_first_pass
 
account         sufficient      pam_ldap.so
 
account         required       pam_access.so
 
account         required        pam_unix.so
 
session        required        pam_motd.so
 
session        required        pam_limits.so
 
session        optional       pam_mail.so dir=/var/spool/mail standard
 
session        optional        pam_lastlog.so
 
session        required       pam_unix.so
 
  
Edit {{ic|/etc/pam.d/passwd}}:
+
'''password sufficient pam_sss.so use_authtok'''
 +
password required pam_unix.so try_first_pass nullok sha512 shadow
 +
password optional pam_permit.so
  
password        sufficient     pam_ldap.so
+
'''session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077'''
password        required       pam_unix.so shadow md5 nullok
+
session required pam_limits.so
 +
session required pam_unix.so
 +
'''session optional pam_sss.so'''
 +
session optional pam_permit.so
 +
}}
  
Edit {{ic|/etc/pam.d/shadow}}:
+
These PAM changes will apply to fresh login. To also allow the {{ic|su}} command to authenticate through SSSD, edit {{ic|/etc/pam.d/su}}:
  
auth            sufficient      pam_ldap.so
+
{{hc|/etc/pam.d/su|2=
auth            sufficient      pam_rootok.so
+
#%PAM-1.0
auth            required        pam_unix.so
+
auth            sufficient        pam_rootok.so
account        sufficient     pam_ldap.so
 
account        required       pam_unix.so
 
session        sufficient      pam_ldap.so
 
session        required        pam_unix.so
 
password        sufficient      pam_ldap.so
 
password        required        pam_permit.so
 
  
Edit {{ic|/etc/pam.d/su}}:
+
'''auth sufficient  pam_sss.so      forward_pass'''
 +
auth            required        pam_unix.so
  
auth            sufficient      pam_ldap.so
+
'''account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so'''
auth            sufficient      pam_rootok.so
+
account        required        pam_unix.so
auth            required        pam_unix.so use_first_pass
 
account         sufficient      pam_ldap.so
 
account         required        pam_unix.so
 
session        sufficient      pam_ldap.so
 
session         required        pam_unix.so
 
  
Edit {{ic|/etc/pam.d/sshd}}:
+
'''session        required        pam_unix.so'''
 +
session optional pam_sss.so
 +
}}
  
auth            sufficient      pam_ldap.so
+
===== 1. SUDO Configuration =====
auth            required        pam_securetty.so        #Disable remote root
 
auth            required        pam_unix.so try_first_pass
 
auth            required        pam_nologin.so
 
auth            required        pam_env.so
 
account        sufficient      pam_ldap.so
 
account        required        pam_unix.so
 
account        required        pam_time.so
 
password        sufficient      pam_ldap.so
 
password        required        pam_unix.so
 
session        required        pam_unix_session.so
 
session        required        pam_limits.so
 
  
Edit {{ic|/etc/pam.d/other}}:
+
Edit {{ic|/etc/pam.d/sudo}} as follows.
 +
{{hc|/etc/pam.d/sudo|
 +
#%PAM-1.0
 +
'''auth          sufficient      pam_sss.so'''
 +
auth          required        pam_unix.so try_first_pass
 +
auth          required        pam_nologin.so
 +
}}
  
auth            sufficient      pam_ldap.so
+
===== 2. Password Management =====
auth            required        pam_unix.so
 
account        sufficient      pam_ldap.so
 
account        required        pam_unix.so
 
password        sufficient      pam_ldap.so
 
password        required        pam_unix.so
 
session        required        pam_unix.so
 
  
== Resources ==
+
In order to enable users to change their passwords using {{ic|passwd}} edit {{ic|/etc/pam.d/passwd}} as follows.
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]
+
{{hc|/etc/pam.d/passwd|2=
 +
#%PAM-1.0
 +
'''password        sufficient      pam_sss.so'''
 +
#password      required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 +
#password      required        pam_unix.so sha512 shadow use_authtok
 +
password        required        pam_unix.so sha512 shadow nullok
 +
}}
  
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]
+
[[Start/enable]] the {{ic|sssd.service}} systemd unit.
  
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]
+
You should now be able to see details of your ldap users with {{ic|getent passwd <username>}} or {{ic|id <username>}}.
  
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]
+
Once you have logged in with a user the credentials will be cached and you will be able to login using the cached credentials when the ldap server is offline or unavailable.
  
[http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]
+
== Resources ==
 +
* [http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]
 +
* [[debian:LDAP/NSS|Debian Wiki - LDAP/NSS]]
 +
* [[debian:LDAP/PAM|Debian Wiki - LDAP/PAM]]
 +
* [https://www.fatofthelan.com/technical/using-ldap-for-single-authentication/ Using LDAP for single authentication]
 +
* [http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]
 +
* [http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]
 +
* [https://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Introduction.html Fedora's SSSD User Guide]

Latest revision as of 12:25, 31 May 2019

Introduction and Concepts

This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).

The guide is divided into two parts. The first part deals with how to setup an OpenLDAP server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the second part.

NSS and PAM

NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, /etc/passwd is a file type source for the passwd database.

PAM (which stands for Pluggable Authentication Modules) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.

So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd, shadow and other configuration databases and then configure PAM to use these sources to authenticate its users.

LDAP Server Setup

Installation

You can read about installation and basic configuration in the OpenLDAP article. After you have completed that, return here.

Set up access controls

To make sure that no-one can read the (encrypted) passwords from the LDAP server, but still allowing users to edit some of their own select attributes (such as own password and photo), add the following to /etc/openldap/slapd.conf and restart slapd.service afterwards:

Note: Alter the domain components "example" and "org" to your needs
slapd.conf
access to attrs=userPassword,givenName,sn,photo
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=example,dc=org" write
        by * none

access to *
        by self read       
        by dn.base="cn=Manager,dc=example,dc=org" write
        by * read

Populate LDAP Tree with Base Data

Create a temporary file called base.ldif with the following text.

base.ldif
# example.org
dn: dc=example,dc=org
dc: example
o: Example Organization
objectClass: dcObject
objectClass: organization

# Manager, example.org
dn: cn=Manager,dc=example,dc=org
cn: Manager
description: LDAP administrator
objectClass: organizationalRole
objectClass: top
roleOccupant: dc=example,dc=org

# People, example.org
dn: ou=People,dc=example,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

# Groups, example.org
dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit

Add it to your OpenLDAP tree:

$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif

Test to make sure the data was imported:

$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'

Adding users

To manually add a user, create an .ldif file like this:

user_joe.ldif
dn: uid=johndoe,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: johndoe
cn: John Doe
sn: Doe
givenName: John
title: Guinea Pig
telephoneNumber: +0 000 000 0000
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {CRYPT}xxxxxxxxxx
labeledURI: https://archlinux.org/
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 9999
homeDirectory: /home/johndoe/
description: This is an example user

The xxxxxxxxxx in the userPassword entry should be replaced with the value in /etc/shadow or use the slappasswd command. Now add the user:

$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f user_joe.ldif
Note: You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's Migration Tools.

Client Setup

Install the OpenLDAP client as described in OpenLDAP. Make sure you can query the server with ldapsearch.

Next, install the nss-pam-ldapd package.

NSS Configuration

NSS is a system facility which manages different sources as configuration databases. For example, /etc/passwd is a file type source for the passwd database, which stores the user accounts.

Edit /etc/nsswitch.conf which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the ldap directive to the passwd, group and shadow databases, so be sure your file looks like this:

passwd: files ldap
group: files ldap
shadow: files ldap

Edit /etc/nslcd.conf and change the base and uri lines to fit your ldap server setup.

Start nslcd.service using systemd.

You now should see your LDAP users when running getent passwd on the client.

PAM Configuration

The basic rule of thumb for PAM configuration is to include pam_ldap.so wherever pam_unix.so is included. Arch moving to pambase has helped decrease the amount of edits required. For more details about configuring pam, the RedHat Documentation is quite good. You might also want the upstream documentation for nss-pam-ldapd.

Tip: If you want to prevent UID clashes with local users on your system, you might want to include minimum_uid=10000 or similar on the end of the pam_ldap.so lines. You will have to make sure the LDAP server returns uidNumber fields that match the restriction.
Note: Each facility (auth, session, password, account) forms a separate chain and the order matters. Sufficient lines will sometimes "short circuit" and skip the rest of the section, so the rule of thumb for auth, password, and account is sufficient lines before required, but after required lines for the session section; optional can almost always go at the end. When adding your pam_ldap.so lines, do not change the relative order of the other lines without good reason! Simply insert LDAP within the chain.

First edit /etc/pam.d/system-auth. This file is included in most of the other files in pam.d, so changes here propagate nicely. Updates to pambase may change this file.

Make pam_ldap.so sufficient at the top of each section, except in the session section, where we make it optional.

/etc/pam.d/system-auth
auth      sufficient pam_ldap.so
auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   sufficient pam_ldap.so
account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  sufficient pam_ldap.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_ldap.so
session   optional  pam_permit.so

Then edit both /etc/pam.d/su and /etc/pam.d/su-l identically. The su-l file is used when the user runs su --login.

Make pam_ldap.so sufficient at the top of each section but below pam_rootok, and add use_first_pass to pam_unix in the auth section.

/etc/pam.d/su
#%PAM-1.0
auth      sufficient    pam_rootok.so
auth      sufficient    pam_ldap.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth     sufficient    pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth     required      pam_wheel.so use_uid
auth      required	pam_unix.so use_first_pass
account   sufficient    pam_ldap.so
account   required	pam_unix.so
session   sufficient    pam_ldap.so
session   required	pam_unix.so

To enable users to edit their password, edit /etc/pam.d/passwd:

/etc/pam.d/passwd
#%PAM-1.0
password        sufficient      pam_ldap.so
#password       required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password       required        pam_unix.so sha512 shadow use_authtok
password        required        pam_unix.so sha512 shadow nullok

Create home folders at login

If you want home folders to be created at login (eg: if you are not using NFS to store home folders), edit /etc/pam.d/system-login and add pam_mkhomedir.so to the session section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, kdm, gdm, etc. You might choose to edit additional files in the same way, such as /etc/pam.d/su and /etc/pam.d/su-l to enable it for su and su --login. If you do not want to do this for ssh logins, edit system-local-login instead of system-login, etc.

/etc/pam.d/system-login
...top of file not shown...
session    optional   pam_loginuid.so
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so
session    required   pam_mkhomedir.so skel=/etc/skel umask=0022
/etc/pam.d/su-l
...top of file not shown...
session         required        pam_mkhomedir.so skel=/etc/skel umask=0022
session         sufficient      pam_ldap.so
session         required        pam_unix.so

Enable sudo

To enable sudo from an LDAP user, edit /etc/pam.d/sudo. You will also need to modify sudoers accordingly.

/etc/pam.d/sudo
#%PAM-1.0
auth      sufficient    pam_ldap.so
auth      required      pam_unix.so  try_first_pass
auth      required      pam_nologin.so

You will also need to add in /etc/openldap/ldap.conf the following.

/etc/openldap/ldap.conf
sudoers_base ou=sudoers,dc=AFOLA

Online and Offline Authentication with SSSD

SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will D-BUS based interfaces for extended user information. It provides also a better database to store local users as well as extended user data.

General Package Details

Install the sssd package.

How to enable SSSD for basic Authentication

1. SSSD Configuration

If it does not exist create /etc/sssd/sssd.conf.

/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[domain/LDAP]
cache_credentials = true
enumerate = true

id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://server1.example.org, ldap://server2.example.org
ldap_search_base = dc=example,dc=org
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/certs/cacerts.pem
chpass_provider = ldap
ldap_chpass_uri = ldap://server1.example.org
entry_cache_timeout = 600
ldap_network_timeout = 2
ldap_group_member = uniquemember

The above is an example only. See sssd.conf(5) for the full details.

Finally set the file permissions chmod 600 /etc/sssd/sssd.conf otherwise sssd will fail to start.

2. NSCD Configuration

Disable caching for passwd, group and netgroup entries in /etc/nscd.conf as it will interfere with sssd caching.

Keep caching enabled for hosts entries otherwise some services may fail to start.

/etc/nscd.conf
# Begin /etc/nscd.conf
[...]
enable-cache		passwd		no
[...]
enable-cache		group		no
[...]
enable-cache		hosts		yes
[...]
enable-cache		netgroup	no
[...]
# End /etc/nscd.conf

3. NSS Configuration

Edit /etc/nsswitch.conf as follows.

/etc/nsswitch.conf
# Begin /etc/nsswitch.conf

passwd: files sss
group: files sss
shadow: files sss
sudoers: files sss

publickey: files

hosts: files dns myhostname
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

# End /etc/nsswitch.conf

4. PAM Configuration

The first step is to edit /etc/pam.d/system-auth as follows.

/etc/pam.d/system-auth
#%PAM-1.0

auth sufficient pam_sss.so forward_pass
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so

account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so

password sufficient pam_sss.so use_authtok
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_permit.so

These PAM changes will apply to fresh login. To also allow the su command to authenticate through SSSD, edit /etc/pam.d/su:

/etc/pam.d/su
#%PAM-1.0
auth            sufficient        pam_rootok.so

auth sufficient   pam_sss.so      forward_pass
auth            required        pam_unix.so

account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account         required        pam_unix.so

session         required        pam_unix.so
session optional pam_sss.so
1. SUDO Configuration

Edit /etc/pam.d/sudo as follows.

/etc/pam.d/sudo
#%PAM-1.0
auth           sufficient      pam_sss.so
auth           required        pam_unix.so try_first_pass
auth           required        pam_nologin.so
2. Password Management

In order to enable users to change their passwords using passwd edit /etc/pam.d/passwd as follows.

/etc/pam.d/passwd
#%PAM-1.0
password        sufficient      pam_sss.so
#password       required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password       required        pam_unix.so sha512 shadow use_authtok
password        required        pam_unix.so sha512 shadow nullok

Start/enable the sssd.service systemd unit.

You should now be able to see details of your ldap users with getent passwd <username> or id <username>.

Once you have logged in with a user the credentials will be cached and you will be able to login using the cached credentials when the ldap server is offline or unavailable.

Resources